Sophos endpoint using high cpu when updating windows

Thank you for reaching out to the community forum.

Aside from the Windows update, is there any other activity going on while you experience the issue?

Also, may we know the specs of the device that has this behavior? 

Thank you for your reply.

The specifications are as follows: an Intel Core i3 10th generation CPU paired with 8GB of RAM.

My user work with Office and Chrome when Windows is updating.

Are there any additional settings to minimize the background scanning while Windows is updating?

Hi Tri Nguyen2 ,

Can you try applying these Microsoft recommended exclusions, which can also be found in the following knowledge base article - https://support.sophos.com/support/s/article/KB-000033519?language=en_US and see if it helps? You may try excluding the Wsusscan.cab and Wsusscn2.cab files or excluding all .cab files from scanning.

I suggest creating a temporary Threat Protection policy first, which you can apply to the devices before they update. And then, you can create the exclusions within this temporary policy.

Let us know how it goes.

I assume all the work is by tiworker.exe which has the "file description" "Windows Modules Installer Worker" which is what this Processes view of TaskManager shows.

If this process during a Windows update is creating a lot of reg keys/values and files, SSPService is subjected to a lot of regkeycreate and regvaluewrite operations. Plus all the new files. These operations are all journaled.  The activity from SophosFileScanner.exe would suggest many of the files are being scanned as well.

If you wanted to test the behaviour with tiworker.exe excluded as a process. I.e. it is referenced in OnAccessExcludeProcessPaths under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config once the policy comes down.

As to if this is a secure approach is another question but, could be tested.